Youtube - Open redirection
Google fixed this a year after I reported this bug and yet refused to accept this as a vulnerability, got no luck with bug-bounties haha
Attacker send youtube link and lure the victim click on it
The link redirects the victim to the attacker’s malicious phishing website requires youtube’s credentials
The victim enters his youtube credentials because he thinks he is still on youtube domain.
The attacker take over the victim’s youtube account (which is actually google account, so he can actually take over gmail drive, etc.)
PoC Video: https://www.youtube.com/watch?v=CcsJ8EXUIvA